Hi,
I am evaluating Pritunl and have signed up for Pritunl Premium.
The User Groups feature would appear to provide the ACL capability I would like have but I cannot find how to implement it.
Questions?
Thank you for any assistance.
Regards
An enterprise subscription is required for the groups option. Organizations should be used as groups. If there are overlapping access control requirements the groups option can be used instead.
To use user groups all singe sign-on users must be in one organization. The organization then needs to be attached to all servers. Then the groups option in each server can be configured to select which user groups will have access to that server.
To apply user groups the following commands will switch the single sign-on from matching organizations to copying the groups from the single sign-on provider to the Pritunl user. For SAML providers the groups SAML attribute can be used to set the user groups.
sudo pritunl set app.sso_azure_mode '"groups"'
sudo pritunl set app.sso_authzero_mode '"groups"'
sudo pritunl set app.sso_google_mode '"groups"'
It is also possible to manually set user groups in the user settings but this would be overwritten if the user is using single sign-on.
Hi Zach,
Thank you for your extremly prompt response (as always!).
The combination of US$ and the price per month makes the Enterprise option a “bridge too far” for our small organisation. With the rapidily changing rate between AU$ and US$, too hard to even budget! 
Nice product BTW.
Regards
Hi Zach,
For clarity, in the Premium version, can I assume that there is no way to restrict what users can access?
Just in case I am missing something obvious.
Regards
Organizations are intended to function as groups. Users will only have access to the servers that the users organization are attached to. Multiple servers can be created to handle different sets of routes. The user groups are only intended for configurations that can’t be handled by multiple organizations.
Does this mean it doesn’t matter what Azure AD group the user is a member of? As long as they are a user is the Azure Ad organization that is connected to the server?
The Azure groups would be matched to an existing Pritunl organization by default. If the groups mode is used then the Azure groups would be copied to the Pritunl user groups. Assuming the server has groups configured then both the organization and at least one group must match. If the server has no groups configured user groups are ignored and only the organization must match.
Zach,
How does the system behave when a user belongs to multiple Azure groups and each one of those groups are defined as an Organization in Pritunl? For example:
Let’s say user1 belongs to Azure groups, vpn-group1, vpn-group2 and vpn-group3. In Pritunl, there are three organizations also called vpn-group1, vpn-group2 and vpn-group3. Also, in Pritunl, there are three servers. Server1 is attached to vpn-group1, server2 is attached to vpn-group2, etc.
When user1 logs into the Pritunl web portal, which organization/sever will the user be assigned to?
Thanks
User101
The organizations are sorted and the first matching organization is used.
Just to clarify, does the system sort the user’s Azure group AND the pritunl organizations before it tries to do a match?
From the example above, the user’s group are: vpn-group1, vpn-group2, vpn-group3
The pritunl organizations are: vpn-group1, vpn-group2, vpn-group3
In this example, the user would be placed in organization “vpn-group1”. This is correct?
The sorting is handled in here the handlers/sso.py file. The python sorted() function is used to iterate through each group and match to the first organization found in the database.
Thanks Zach, this makes sense now…
Zach,
Regarding this User Azure Group mapping to Pritunl Organizations; is it only done on the initial user login to the Pritunl web portal?
For example, if the user initially logs in with Azure group “vpn-group1” and is mapped to organization “vpn-group1” ; what happens if the user’s Azure group changes to “vpn-group2” ? Will the user automatically get re-mapped to organization “vpn-group2” on the pritunl side?
Yes user organizations are only set when logging into the web console.
Hi! We are evaluating the Pritunl now and in our use-case it is necessary that users can belong to multiple groups (if I understand correctly there is always 1-to-1 assignment for organizations).
I found this post that is helpful. However the SSO mode option is not available for generic SAML (I am hooking it up to our Keycloak). Can it be implemented? Or any quick workaround for it?
Thank you!
Regards,
Andrii
I will answer myself 
After grepping over the source code I realize I can just advertise both ‘org’ and ‘groups’ via SAML. No configuration changes are needed. Seams works as expected, will continue my trial. Thanks for code available approach!